Microsoft Issues Fix to Keep Duqu at Bay

By Richard Adhikari
Nov 7, 2011 6:00 AM PT

Microsoft on Friday released a temporary fix for a Microsoft Word vulnerability that allows the Duqu worm to attack PCs.

The flaw, in TrueType font parsing, could let an attacker run arbitrary code in kernel mode, installing programs; view, change or delete data; or create new accounts with full user rights, Microsoft said.

The vendor stated that it's aware of targeted attacks that try to use the vulnerability, but there hasn't been much impact on Windows users so far.

"It's important to note that the associated risk is minimal for the public," Jerry Bryant, group manager, response communications, Microsoft Trustworthy Computing, told TechNewsWorld.

However, the patch only deals with the Microsoft Word side of the equation; users will still be vulnerable to Duqu malware unless they update their security software.

"The zero-day vulnerability being discussed in connection to Duqu is not actually in the Duqu malware; it's part of an installer application that was used to install the malware in at least one instance that Symantec is aware of," Kevin Haley, director of Symantec Security Response, told TechNewsWorld.

"Therefore, a patch to remedy the software vulnerability will not protect against the actual Duqu malware," Haley added.

Measures Microsoft recommends users take to protect themselves against Duqu include enabling a firewall on their computers, getting the latest updates for all their software, using up-to-date antivirus software, limiting user privileges on their computers, being careful when opening attachments and clicking on links to Web pages, and using strong passwords.

What's a Duqu Anyhow?

Duqu was discovered last month by CrySyS, the cryptography and system security lab at the Budapest University of Technology and Economics.

Symantec, which analyzed Duqu samples, confirmed CrySyS' initial assessment that the malware was likely written by the same people who created the highly dangerous Stuxnet worm, which had infiltrated Iranian nuclear installations.

Duqu is primarily a remote access Trojan, it doesn't self-replicate, and it was highly targeted toward a limited number of organizations for their specific assets, Symantec found.

"We know of multiple companies which have been targeted," Symantec's Haley said. "They are suppliers to industrial facilities, and other organizations outside the industrial sector."